Zhelatin
Zhelatin
Type Mass mailer worm
Creator The Zhelatin gang
Date Discovered 2007.01.19
Place of Origin Russia
Source Language
Platform MS Windows
File Type(s) .exe
Infection Length
Reported Costs

Zhelatin is a very large family of botnet worms. Along with Nuwar it became a part of what was known as the "Storm Worm" botnet. It was particularly memorable for the subject lines of the emails it came in, which read like sensationalist newspaper headlines. One of these exploits fears of a devastating winter storm that hit Europe only a day before the worm started spreading. It set records in several areas and as a network was thought to have more computing power than the single most powerful supercomputer.

Behavior

Zhelatin will arrive in an email with one of the following subject lines:

  • 230 dead as storm batters Europe.
  • A killer at 11, he's free at 21 and kill again!
  • U.S. Secretary of State Condoleezza Rice has kicked German Chancellor Angela Merkel
  • British Muslims Genocide
  • Naked teens attack home director.
  • Radical Muslim drinking enemies's blood.
  • Chinese missile shot down Russian satellite
  • Saddam Hussein alive!
  • Venezuelan leader: "Let's the War beginning".
  • Fidel Castro dead.

The message body will be blank, but with an attachment. The attachment of the Storm worm will be named one of the following:

  • ClickHere.exe
  • FlashPostcard.exe
  • FlashPostcard.exe
  • FullClip.exe
  • FullNews.exe
  • Full Story.exe
  • FullVideo.exe
  • GreetingCard.exe
  • GreetingPostcard.exe
  • MoreHere.exe
  • Read More.exe
  • ReadMore.exe
  • Video.exe

When the attachment is executed, it copies itself as the file name alsys.exe to the system directory. It adds that file as a value to the local machine and current user run registry keys, ensuring the worm will start up with the system. It creates a randomly named file in the current directory, which is detected as a trojan. Zhelatin harvests email addresses found in all files on the system and emails itself using the recipient's SMTP server.

It drops the file wincom32.sys, along with wincom32.ini, which is a rootkit that loads a .dll file that scans UDP ports. It inserts this .dll into the services.exe process. It will be in charge of creating a network with other computers in the botnet to download new files and update the botnet. It also flags the system with the identifier "klllekkdkkd" so that there are not two infections of this trojan on the system.

The worm blocks Windows Firewall/Internet Connection Sharing by adding the value "Start = 4" the registry keys which control the Windows Firewall. It also disables several antivirus, antispy and firewall products. It also copies itself to a folder with .exe and .scr files as a hidden file with a randomly generated name. Zhelatin will infect these files and modify them so the worm runs first.

Variants

Zhelatin itself is sometimes considered a variant of Nuwar (also known as Glowa), the first variants of which appeared in 2006. Some refer to it as Nuwar.N. At about this time, very few new worms, especially email worms were being created, and this type of malware was going the way of the boot sector virus. The situation had not changed by the time the first Zhelatin appeared. Enough variants of Zhelatin exist to go through the alphabet several times. Some of them do not even send the worm itself, but rather a link that downloads a a file from an external site that does the same thing as a typical Zhelatin.

Days after the first Zhelatin appeared, a new one appeared with added possible subject lines "The commander of a U.S. nuclear submarine lunch the rocket by mistake", "First Nuclear Act of Terrorism!" and "Third World War just have started!".

By August of 2007, there were variants of Zhelatin that could "infect" blogs. While comment spam was pretty well known by this time, this worm took it to a new level, actually posting new blog pages. It makes a blog post with a title and text that entices a viewer to click on a link pointing to a copy of the worm or a trojan that will zombify the viewer's computer if executed. Sunbelt Software suggested it might be because of Blogger's mail-to feature where one can send email in a blog post. However, Blogger was not the only site that the worm could send its spam blog posts, as a Google search of the text in common spam posts would turn up results from other sites. Today a search mostly only turns up sites describing this variant.

Also in that month, the variants started making significant changes to how they infect the system. Some variants infected the file tcpip.sys, and added code to it to start the worm with the driver. This means it does not have to make changes to the registry, and since anti-malware programs often flag files that modify it as suspicious.

A variant appearing in May of 2008 downloaded some Zango software to infected computers, prompting conspiracy theories about the company. The Zango corporation, a purveyor of adware and other potentially unwanted programs, was thought to have some relationship with the Zhelatin coders, but denied it. Zango already had a deplorable reputation, as it was known for creating software that phones home with user information and is difficult to remove, and when PC-Tools or Kaspersky tries to help you remove the programs, Zango sues them. Zango is now owned by an entity calling itself the Pinball Corporation since 2009.

Releases of the worm were well-timed with the holiday it was released around. For Halloween of 2007, thw worm invites the victim to download a dancing skeleton from a link in the email. On 2008.04.01, a new storm worm was released onto the Net, with April Fools-themed subject titles. There were similar cases involving Labor Day and the beginning of the American football season.

Effects

It is uncertain exactly how many systems were affected by this worm, with estimates usually in the millions. By June of 2007, the FBI reported it had found over 1 million Zhelatin infected zombie computers. Two months later, the botnet was up to 1.7 million. Some estimates went as high as 50 million, giving it more power and resources than the most powerful supercomputer. A UC San Diego professor estimated about 1.5 million systems were infected with 200,000 readily available for use by the bot herders. Malware researchers attribute this sharp increase to the variety of social engineering tactics the worm uses, as well as unusual methods of gaining a foothold in compromised systems.

While the botnet consisted of over a million systems, it only used a small fraction of those for spam. This still did not keep it from topping charts in that area. Zhelatin peaked in September of 2007, accounting for 20 percent of the world's spam. By March of 2008 Zhelatin had 85,000 zombies that it used for spam, more than any other botnet at the time. As it was being replaced by Srizbi, Mega-D and Rustock in January of 2008, it put out only 2% of the world's spam.

The damage was believed to be worst in the United States. F-Secure claimed that 20.3% of the systems it tracks in the United States were infected with the worm, compared to 15.7 percent of European systems.

The primary purpose of the Zhelatin worm is to deliver spam. Businesses rent several compromised machines from the bot herders, which they use to send spam messages from. The spam cannot be traced, as the spam the spammer sends is relayed through the compromised computer. Zhelatin and its variants are also known to have phished information from Royal Bank of Scotland customers and advertised Canadian medicine in January of 2008. It downloaded a Bancos information stealing trojan to infected computers in the next month.

Zhelatin is believed to have disappeared in early fall of 2008. Spam email coming from the worm stopped spreading some time in September. Malware researchers warned that it would return again, which it did. A year and a half later, the worm is believed to have returned in new variants, since several worms with similar tactics appeared.

Origin

Zhelatin was the product of a hacker gang of the same name. It was created to start a botnet to deliver spam and other payloads. For some time it was believed to have originated in Asia, as it began spreading in the very small hours of the morning in Europe (judging from its subject lines, the intended target), while it would have been about the start of the work day, due to the 6 to 7 hour difference between Europe and eastern Asia. F-Secure believed the worm originated in Russia. It uses packers common to Russian groups and connects to servers based in Russia. Exploit Prevention Labs noted that the coders were "in tune with American society", but that their English was a little off, suggesting the worm originated in Europe.

The worm was not well received by the gang that created the Stration worm. They began coding variants of Stration that attacked Zhelatin. The gangs essentially went to war with each other for control over zombie computers, both those that were already infected with one or another worm as well as potential infectees. Zhelatin conducted denial-of-service attacks against the coders responsible for Stration.

It is unknown if Zhelatin had any relation to previous or subsequent botnet worms such as Conficker, Sobig or Fizzer.

Name and Categorization

Where antivirus companies had problems with naming some previous malware, mostly just giving them different names or considering a particular malware to be a variant of another where some others consider it a whole new family. With this particular malware, Antivirus vendors had disagreements on whether this was a worm or trojan.

Some have justified calling it a trojan horse on the grounds that it does not spread on its own once turned loose, but rather that it is controlled by the bot hoarder. This is not true for some variants, which do mass mail themselves using addresses they find themselves and automatically spreading themselves to them.

There is a Russian football player named Aleksei Viktorovich Zhelatin. He likely had no relation to the worm. The Russian word for gelatin is Желатин which would have a transliteration as Zhelatin.

Sources

Kaspersky Lab. Securelist.com, Email-Worm.Win32.Zhelatin.a. 2007.01.31

Mary Landesman. About.com Antivirus Software, Storm Worm.

Cisco Security Agent and the Microsoft Win32/Nuwar.N (Storm Trojan) Exploit.

Alexander Gostev. Securelist, Malware Evolution: January - March 2007, The Internet battlefield. 2007.05.10

John Leyden. The Register, Inboxes battered by Trojan spam deluge. 2007.01.19

-. -, Storm Trojan gang declare start of World War III. 2007.01.22

-. -, Storm botnet blows itself out. 2008.10.14

Dan Goodin. -, Infamous Storm botnet rises from the grave. 2010.09.27

Robert Lemos. SecurityFocus, The Register, Imperfect Storm aids spammers. 2007.02.19

The Real Blogger Status, Storm worm hits Blogger. 2007.08.29 (Information from this blog is same as the now-dead link from Security Focus)

The Politech Blog, Zhelatin Worm; Botnet Spread to 10 Million PCs, Now Via Automated Blog Postings. 2007.09.03

Jeremy Reimer. Ars Technica, FBI: Over one million computers working for botnets. 2007.06.14

The H, Six botnets responsible for nearly all spam. 2008.03.03

-, Zango denies Storm worm conspiracy theories. 2008.05.20

-, Storm worm botnet with over 1.7 million drones. 2007.08.08

Macky Cruz. Trend Micro Blog, Storm Puppet Masters Pushing Zango Software?. 2008.05.15

Cara Garretson. Network World, Storm: the largest botnet in the world? 2007.09.28

-. -, Storm worm pulls Halloween hoax. 2007.10.31

Robert McMill. -, Storm Worm now just a squall. 2007.10.21

Robert Vamosi. CNet Reviews, Taking the Internet by storm. 2007.04.13

Mark Hachman. ExtremeTech, 'Storm Worm' Sweeps Into U.S. 2007.01.19

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License